Red Flag Rules – The Next Steps for Physicians

The red flag rules, which require creditors to implement a formal policy for detecting and preventing identity theft, also apply to the healthcare industry. The effective date for the red flag rules has been delayed until August 1, 2009. The red flag rules were authorized under “the 2003 Fair and Accurate Credit Transitions Act, which” covers “entities that regularly extend credit, or defer payment for services.” The FTC claims that physicians are considered creditors under the rules. However, the American Medical Association and several medical organizations are continuing to challenge what they believe is an overly broad legal interpretation. In the meantime, organized medicine and legal experts urge doctors to implement the necessary compliance measures. The rules require physician practices to identify red flags, or warning signs, of potential identity theft occurrences, create a corporate policy for responding to such risks, and train staff on the new policy.

Physicians should follow these practical tips when developing and implementing their identity theft prevention policies:

• Identify warning signs of potential identity theft that may occur in daily operations. Such red flags may include bills for services not rendered, inconsistent medical records, insurance claims denials or exhaustion of patient benefits.

• Incorporate specified administrative requirements in the written policy, including seeking management approval, identifying a specific staff member to oversee implementation and conducting staff training.

• Review and update the identity theft prevention policy at least once a year.